httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 15:06:04 GMT
On Sep 13, 2007, at 7:54 AM, Plüm, Rüdiger, VF-Group wrote:
>> Changes to the request URI must be referred back to the client in the
>> form of a redirect.  Any other choice will cause security holes in
>> the request chain, somewhere.
>>
>> The proxy (when acting as a proxy) must not change the URI.
>>
>> The reverse proxy (gateway) is just an origin server with a
>> stupid name -- it must send a redirect if it makes the above
>> change to a URI.
>
> Sorry for being confused, but what change to a URI are you
> talking about? Transforming
>
> GET /a/../b/somewhere
>
> into
>
> a request for /b/somewhere?
>
> This is the usual transformation we do also in the case we deliver
> static content (without sending a redirect to /b/somewhere).

We are supposed to be sending a redirect (or 403) in that case.
Is that not true?

....Roy


Mime
View raw message